Use Case: Specifying Indicator Patterns for Cyber Threats - STIXProject/use-cases GitHub Wiki

Specifying Indicator Patterns for Cyber Threats

Abstraction Level (High, Medium or Low): High

Related Use Cases:

Description: A cyber threat analyst specifies measurable patterns representing the observable characteristics of specific cyber threats along with their threat context and relevant metadata for interpreting, handling, and applying the pattern and its matching results. This may be done manually or with the assistance of automated tooling and structured instantial threat information. For example, in the case of a confirmed phishing attack, a cyber threat analyst may harvest the relevant set of observables (e.g., to or from addresses, actual source, subject, embedded URLs, type of attachments, specific attachment, etc.) from the performed analysis of the phishing email, identify the relevant TTPs exhibited in the phishing attack, perform kill chain correlation of the attack, assign appropriate confidence for the indicator, determine appropriate handling guidance, generate any relevant automated rule patterns for the indicator (e.g. Snort, YARA, OVAL, etc.), assign any suggested courses of action, and package it all up as a coherent record for sharing and future reference.

Stakeholders/Goals:

Stakeholder: Stakeholder description (replace with your content)
Goal: Goal description (replace with your content)

Preconditions:

Precondition description (replace with your content)

Dependencies:

Dependency description (replace with your content)

Main Success Scenario:

Scenario description (replace with your content)